Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
The attribute_filter in the Lupa library is intended to restrict access to sensitive Python attributes when exposing objects to Lua. However, the filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.